Privacy Policy
Last Updated: October 30, 2025
Welcome to Kulu ("we", "us", "our", or "Company"). We are committed to protecting your data and privacy. This Privacy Policy explains how we handle your personal data when you use our SDK, platform, and services (collectively, the "Services").
Data We Process
The Kulu SDK processes the following data:
- User Identification: User ID and description provided during SDK initialization, used to identify returning users and track their workflow progress
- Workflow Progress: Current step, completion status, and session ID to resume workflows across sessions
- Workflow Data: Workflow configuration, variables, and execution state to enable workflow resumption and continuity
- Client-Added Context: Background or metadata provided by the client for a workflow step, enabling the agent to generate context-aware responses
- Chat Interactions: Questions asked and AI responses (only if users interact with Kulu's AI agent) to provide context in future sessions
- Authentication Data: SDK key and short-lived JWT tokens for secure API communication
- Technical Data: Request logs, error information, and performance metrics for service monitoring
How We Use Your Data
We use your data to:
- We only use aggregated or anonymized information for service improvement and analytics purposes.
Data Security
We implement appropriate security measures to protect your data:
Encryption
- In Transit – All data transmitted to and from our services is encrypted using TLS 1.2 or higher
- At Rest – Sensitive data is encrypted at rest using industry-standard encryption algorithms
Access Controls
- Authentication – Secure authentication mechanisms for all user accounts
- Authorization – Role-based access control (RBAC) ensures users only access data they need
- Audit Logging – All access to sensitive data is logged and monitored
Infrastructure Security
- Network Security – Firewalls, intrusion detection, and DDoS protection
- Regular Updates – Timely patching and updates of all systems
- Vulnerability Management – Periodic security reviews
Data Storage
- All workflow progress and chat history is stored securely on Kulu's backend
- Data transmission is encrypted using HTTPS
- You can request data deletion at any time by contacting support@heykulu.ai
Data Retention
We retain personal data only for as long as necessary to deliver and maintain our Services, or as required by applicable law.
Some records (for example, access logs or billing invoices) may be retained for a limited period to meet security, compliance, and accounting obligations.
You can request deletion of your data at any time by contacting support@heykulu.ai.
Billing and Fraud Prevention Data
We process limited payment information provided by our payment processor, Stripe, to operate billing and prevent misuse.
This includes:
- Basic payment and subscription details (such as plan, payment method type, billing period, and charge status)
- Transaction history and retry outcomes for failed payments
- Minimal metadata required for fraud prevention and service reliability
Payments are handled securely by Stripe Billing. We do not store or process your full card details ourselves. Processing is based on our contractual obligations and legitimate interests in ensuring billing accuracy and service integrity. Billing data is retained for the duration of your subscription and as required by law for accounting purposes. For more information on how Stripe processes personal data, see Stripe’s Privacy Policy.
Your Rights
Depending on your location, you may have rights to:
- Access your personal data
- Correct inaccurate data
- Request deletion of your data
- Request a copy of your data
To exercise these rights, please contact us at support@heykulu.ai.
Data Processing Agreement (DPA)
For organizations requiring a Data Processing Agreement, we provide a comprehensive DPA document that outlines data processing terms and security commitments. Download DPA (PDF) In the event of any inconsistency between this Privacy Policy and the DPA, the DPA shall prevail for data-processing matters.
Authorized Sub-processors
Kulu engages third-party service providers (sub-processors) to deliver and maintain our services. We ensure that all sub-processors have data protection obligations substantially similar to those in our Data Processing Agreement and are bound by contractual commitments to protect your data.
Sub-processors List
| Sub-processor | Service | Location | Purpose |
|---|---|---|---|
| Supabase Inc. | Database & Authentication | EU West (London, UK) | PostgreSQL database hosting, user authentication |
| Vercel Inc. | Frontend | Global CDN | CDN and frontend application hosting |
| Render Services Inc. | Backend | EU Central (Frankfurt, Germany) | API backend hosting |
| OpenAI, L.L.C. | LLM | United States | Chat completion and embedding generation |
| ElevenLabs Inc. | Voice | United States | Voice generation for onboarding workflows |
| HeyGen Inc. | Avatar | United States | AI video avatar generation for workflows |
| Stripe | Payments | United States | Secure payment processing |
Sub-processor Changes
We may add or replace sub-processors to improve our services. When we do:
Our list of sub-processors may change from time to time as we improve or expand our Services. The most up-to-date list will always be available on this page. If any change materially affects how we handle personal data, we will update this Policy to reflect it.
Sub-processor Obligations
We ensure that all sub-processors:
- Have data protection obligations substantially similar to those in our Data Processing Agreement
- Are bound by contractual commitments to protect your data
- Comply with applicable data protection laws
We remain fully liable to you for any sub-processor's failure to fulfill their data protection obligations.
Contact Us
If you have questions about this Privacy Policy or concerns about any of our sub-processors, please contact us at:
📧 Email: support@heykulu.ai
We are committed to working with you to resolve any privacy concerns.